Shared Variable Proof Methods, Hardware-Assisted Critical Sections - - PowerPoint PPT Presentation

Transition Diagrams Owicki-Gries Method Invariants and Machine Instructions

Shared Variable Proof Methods, Hardware-Assisted Critical Sections

• Dr. Liam O’Connor

University of Edinburgh LFCS (and UNSW) Term 2 2020

1

Transition Diagrams Owicki-Gries Method Invariants and Machine Instructions

Where we are at

In the last lecture we introduced the critical section problem, the four properties of critical section solutions, and some solutions for two processes.

2

Transition Diagrams Owicki-Gries Method Invariants and Machine Instructions

Where we are at

In the last lecture we introduced the critical section problem, the four properties of critical section solutions, and some solutions for two processes. We also introduced the SPIN model checking tool for rigorous analysis of candidate solutions.

3

Transition Diagrams Owicki-Gries Method Invariants and Machine Instructions

Where we are at

In the last lecture we introduced the critical section problem, the four properties of critical section solutions, and some solutions for two processes. We also introduced the SPIN model checking tool for rigorous analysis of candidate solutions. In this lecture, we will introduce a formal proof method for verifying safety properties, and apply it to a new kind of critical section solution that relies on hardware support.

4

Transition Diagrams Owicki-Gries Method Invariants and Machine Instructions

Transition Diagrams

Definition

Transition Diagrams Owicki-Gries Method Invariants and Machine Instructions

Transition Diagrams

Definition A transition diagram is a tuple (L, T, s, t) where: L is a set of locations (program counter values). s ∈ L is a entry location. t ∈ L is a exit location. T is a set of transitions.

Transition Diagrams Owicki-Gries Method Invariants and Machine Instructions

Transition Diagrams

Definition A transition diagram is a tuple (L, T, s, t) where: L is a set of locations (program counter values). s ∈ L is a entry location. t ∈ L is a exit location. T is a set of transitions. A transition is written as ℓi

g;f

− − → ℓj where: ℓi and ℓj are locations. g is a guard Σ → B f is a state update Σ → Σ.

7

Transition Diagrams Owicki-Gries Method Invariants and Machine Instructions

Transition Diagrams

Definition A transition diagram is a tuple (L, T, s, t) where: L is a set of locations (program counter values). s ∈ L is a entry location. t ∈ L is a exit location. T is a set of transitions. A transition is written as ℓi

g;f

− − → ℓj where: ℓi and ℓj are locations. g is a guard Σ → B f is a state update Σ → Σ. i ← 0; s ← 0; while i = N do s ← s + i; i ← i + 1

• d

8

Transition Diagrams Owicki-Gries Method Invariants and Machine Instructions

Transition Diagrams

Definition A transition diagram is a tuple (L, T, s, t) where: L is a set of locations (program counter values). s ∈ L is a entry location. t ∈ L is a exit location. T is a set of transitions. A transition is written as ℓi

g;f

− − → ℓj where: ℓi and ℓj are locations. g is a guard Σ → B f is a state update Σ → Σ. i ← 0; s ← 0; while i = N do s ← s + i; i ← i + 1

• d

ℓ0

9

Transition Diagrams Owicki-Gries Method Invariants and Machine Instructions

Transition Diagrams

Definition A transition diagram is a tuple (L, T, s, t) where: L is a set of locations (program counter values). s ∈ L is a entry location. t ∈ L is a exit location. T is a set of transitions. A transition is written as ℓi

g;f

− − → ℓj where: ℓi and ℓj are locations. g is a guard Σ → B f is a state update Σ → Σ. i ← 0; s ← 0; while i = N do s ← s + i; i ← i + 1

• d

ℓ0 ℓ1 ⊤; i ← 0

10

Transition Diagrams Owicki-Gries Method Invariants and Machine Instructions

Transition Diagrams

Definition A transition diagram is a tuple (L, T, s, t) where: L is a set of locations (program counter values). s ∈ L is a entry location. t ∈ L is a exit location. T is a set of transitions. A transition is written as ℓi

g;f

− − → ℓj where: ℓi and ℓj are locations. g is a guard Σ → B f is a state update Σ → Σ. i ← 0; s ← 0; while i = N do s ← s + i; i ← i + 1

• d

ℓ0 ℓ1 ⊤; i ← 0 ℓ2 s ← 0

11

Transition Diagrams Owicki-Gries Method Invariants and Machine Instructions

Transition Diagrams

Definition A transition diagram is a tuple (L, T, s, t) where: L is a set of locations (program counter values). s ∈ L is a entry location. t ∈ L is a exit location. T is a set of transitions. A transition is written as ℓi

g;f

− − → ℓj where: ℓi and ℓj are locations. g is a guard Σ → B f is a state update Σ → Σ. i ← 0; s ← 0; while i = N do s ← s + i; i ← i + 1

• d

ℓ0 ℓ1 ⊤; i ← 0 ℓ2 s ← 0 ℓ3 i = N; s ← s + i i ← i + 1

12

Transition Diagrams Owicki-Gries Method Invariants and Machine Instructions

Transition Diagrams

Definition A transition diagram is a tuple (L, T, s, t) where: L is a set of locations (program counter values). s ∈ L is a entry location. t ∈ L is a exit location. T is a set of transitions. A transition is written as ℓi

g;f

− − → ℓj where: ℓi and ℓj are locations. g is a guard Σ → B f is a state update Σ → Σ. i ← 0; s ← 0; while i = N do s ← s + i; i ← i + 1

• d

ℓ0 ℓ1 ⊤; i ← 0 ℓ2 s ← 0 ℓ3 i = N; s ← s + i i ← i + 1 ℓ4 i = N

13

Transition Diagrams Owicki-Gries Method Invariants and Machine Instructions

Floyd Verification

Recall the definition of a Hoare triple for partial correctness: {ϕ} P {ψ}

14

Transition Diagrams Owicki-Gries Method Invariants and Machine Instructions

Floyd Verification

Recall the definition of a Hoare triple for partial correctness: {ϕ} P {ψ} This states that if the program P successfully executes from a starting state satisfying ϕ, the result state will satisfy ψ.

15

Transition Diagrams Owicki-Gries Method Invariants and Machine Instructions

Floyd Verification

Recall the definition of a Hoare triple for partial correctness: {ϕ} P {ψ} This states that if the program P successfully executes from a starting state satisfying ϕ, the result state will satisfy ψ. Observe that this is a safety property. Verifying Partial Correctness Given a transition diagram (L, T, s, t):

16

Transition Diagrams Owicki-Gries Method Invariants and Machine Instructions

Floyd Verification

Recall the definition of a Hoare triple for partial correctness: {ϕ} P {ψ} This states that if the program P successfully executes from a starting state satisfying ϕ, the result state will satisfy ψ. Observe that this is a safety property. Verifying Partial Correctness Given a transition diagram (L, T, s, t):

1

Associate with each location ℓ ∈ L an assertion Q(ℓ) : Σ → B.

17

Transition Diagrams Owicki-Gries Method Invariants and Machine Instructions

Floyd Verification

Recall the definition of a Hoare triple for partial correctness: {ϕ} P {ψ} This states that if the program P successfully executes from a starting state satisfying ϕ, the result state will satisfy ψ. Observe that this is a safety property. Verifying Partial Correctness Given a transition diagram (L, T, s, t):

1

Associate with each location ℓ ∈ L an assertion Q(ℓ) : Σ → B.

2

Prove that this assertion network is inductive, that is: For each transition in T ℓi

g;f

− − → ℓj show that: Q(ℓi) ∧ g ⇒ Q(ℓj) ◦ f

18

Transition Diagrams Owicki-Gries Method Invariants and Machine Instructions

Floyd Verification

Recall the definition of a Hoare triple for partial correctness: {ϕ} P {ψ} This states that if the program P successfully executes from a starting state satisfying ϕ, the result state will satisfy ψ. Observe that this is a safety property. Verifying Partial Correctness Given a transition diagram (L, T, s, t):

1

Associate with each location ℓ ∈ L an assertion Q(ℓ) : Σ → B.

2

Prove that this assertion network is inductive, that is: For each transition in T ℓi

g;f

− − → ℓj show that: Q(ℓi) ∧ g ⇒ Q(ℓj) ◦ f

3

Show that ϕ ⇒ Q(s) and Q(t) ⇒ ψ.

19

Transition Diagrams Owicki-Gries Method Invariants and Machine Instructions

Floyd Verification

Recall the definition of a Hoare triple for partial correctness: {ϕ} P {ψ} This states that if the program P successfully executes from a starting state satisfying ϕ, the result state will satisfy ψ. Observe that this is a safety property. Verifying Partial Correctness Given a transition diagram (L, T, s, t):

1

Associate with each location ℓ ∈ L an assertion Q(ℓ) : Σ → B.

2

Prove that this assertion network is inductive, that is: For each transition in T ℓi

g;f

− − → ℓj show that: Q(ℓi) ∧ g ⇒ Q(ℓj) ◦ f

3

Show that ϕ ⇒ Q(s) and Q(t) ⇒ ψ.

Liam will now demonstrate on the previous example

20

Transition Diagrams Owicki-Gries Method Invariants and Machine Instructions

Adding Concurrency

p0 p1 p2 i = N; n ← x x, i ← n + 1, i + 1 i = N

21

Transition Diagrams Owicki-Gries Method Invariants and Machine Instructions

Adding Concurrency

p0 p1 p2 i = N; n ← x x, i ← n + 1, i + 1 i = N q0 q1 q2 j = N; m ← x x, j ← m − 1, j + 1 j = N

22

Transition Diagrams Owicki-Gries Method Invariants and Machine Instructions

Adding Concurrency

p0 p1 p2 i = N; n ← x x, i ← n + 1, i + 1 i = N q0 q1 q2 j = N; m ← x x, j ← m − 1, j + 1 j = N p0q0 p0q1 p0q2 j = N; m ← x x, j ← m − 1, j + 1 j = N p1q0 p1q1 p1q2 j = N; m ← x x, j ← m − 1, j + 1 j = N p2q0 p2q1 p2q2 j = N; m ← x x, j ← m − 1, j + 1 j = N i = N; n ← x x, i ← n + 1, i + 1 i = N i = N; n ← x x, i ← n + 1, i + 1 i = N i = N; n ← x x, i ← n + 1, i + 1 i = N

23

Transition Diagrams Owicki-Gries Method Invariants and Machine Instructions

Adding Concurrency

p0 p1 p2 i = N; n ← x x, i ← n + 1, i + 1 i = N q0 q1 q2 j = N; m ← x x, j ← m − 1, j + 1 j = N p0q0 p0q1 p0q2 j = N; m ← x x, j ← m − 1, j + 1 j = N p1q0 p1q1 p1q2 j = N; m ← x x, j ← m − 1, j + 1 j = N p2q0 p2q1 p2q2 j = N; m ← x x, j ← m − 1, j + 1 j = N i = N; n ← x x, i ← n + 1, i + 1 i = N i = N; n ← x x, i ← n + 1, i + 1 i = N i = N; n ← x x, i ← n + 1, i + 1 i = N

Parallel Composition Given two processes P and Q with transition diagrams (LP, TP, sP, tP) and (LQ, TQ, sQ, tQ), the parallel composition

• f P and Q, written P Q is defined as

(L, T, s, t) where: L = LP × LQ s = sPsQ t = tPtQ piqi

g;f

− − → pjqi ∈ T if pi

g;f

− − → pj ∈ TP piqi

g;f

− − → piqj ∈ T if qi

g;f

− − → qj ∈ TQ

24

Transition Diagrams Owicki-Gries Method Invariants and Machine Instructions

State Space Explosion

If we were SPIN, we would immediately begin exhaustively analysing this large

• diagram. But human brains don’t have that much storage space.

25

Transition Diagrams Owicki-Gries Method Invariants and Machine Instructions

State Space Explosion

If we were SPIN, we would immediately begin exhaustively analysing this large

• diagram. But human brains don’t have that much storage space.

Problem Then number of locations and transitions grows exponentially as the number of processes increases.

26

Transition Diagrams Owicki-Gries Method Invariants and Machine Instructions

State Space Explosion

If we were SPIN, we would immediately begin exhaustively analysing this large

• diagram. But human brains don’t have that much storage space.

Problem Then number of locations and transitions grows exponentially as the number of processes increases. We can only use Floyd’s method directly on the parallel composition (product) diagram in the most basic examples.

27

Transition Diagrams Owicki-Gries Method Invariants and Machine Instructions

State Space Explosion

If we were SPIN, we would immediately begin exhaustively analysing this large

• diagram. But human brains don’t have that much storage space.

Problem Then number of locations and transitions grows exponentially as the number of processes increases. We can only use Floyd’s method directly on the parallel composition (product) diagram in the most basic examples. Our Solution We will instead use a method that allows us to define only inductive assertion networks for P and Q individually, and, by proving some non-interference properties derive an inductive network for P Q automatically. This means we won’t have to draw that large product diagram!

28

Transition Diagrams Owicki-Gries Method Invariants and Machine Instructions

Owicki-Gries Method

p0 p1 p2 i = N; n ← x x, i ← n + 1, i + 1 i = N q0 q1 q2 j = N; m ← x x, j ← m − 1, j + 1 j = N Steps To show {ϕ} P Q {ψ}:

Transition Diagrams Owicki-Gries Method Invariants and Machine Instructions

Owicki-Gries Method

p0 p1 p2 i = N; n ← x x, i ← n + 1, i + 1 i = N q0 q1 q2 j = N; m ← x x, j ← m − 1, j + 1 j = N Steps To show {ϕ} P Q {ψ}:

1

Define local assertion networks P and Q for both processes. Show that they’re inductive.

Transition Diagrams Owicki-Gries Method Invariants and Machine Instructions

Owicki-Gries Method

p0 p1 p2 i = N; n ← x x, i ← n + 1, i + 1 i = N q0 q1 q2 j = N; m ← x x, j ← m − 1, j + 1 j = N Steps To show {ϕ} P Q {ψ}:

1

Define local assertion networks P and Q for both processes. Show that they’re inductive.

2

For each location p ∈ LP, show that P(p) is not falsified by any transition of Q. That is, for each q

g;f

− − → q′ ∈ TQ: P(p) ∧ Q(q) ∧ g ⇒ P(p) ◦ f

Transition Diagrams Owicki-Gries Method Invariants and Machine Instructions

Owicki-Gries Method

p0 p1 p2 i = N; n ← x x, i ← n + 1, i + 1 i = N q0 q1 q2 j = N; m ← x x, j ← m − 1, j + 1 j = N Steps To show {ϕ} P Q {ψ}:

1

Define local assertion networks P and Q for both processes. Show that they’re inductive.

2

For each location p ∈ LP, show that P(p) is not falsified by any transition of Q. That is, for each q

g;f

− − → q′ ∈ TQ: P(p) ∧ Q(q) ∧ g ⇒ P(p) ◦ f

3

Vice versa for Q.

Transition Diagrams Owicki-Gries Method Invariants and Machine Instructions

Owicki-Gries Method

p0 p1 p2 i = N; n ← x x, i ← n + 1, i + 1 i = N q0 q1 q2 j = N; m ← x x, j ← m − 1, j + 1 j = N Steps To show {ϕ} P Q {ψ}:

1

Define local assertion networks P and Q for both processes. Show that they’re inductive.

2

For each location p ∈ LP, show that P(p) is not falsified by any transition of Q. That is, for each q

g;f

− − → q′ ∈ TQ: P(p) ∧ Q(q) ∧ g ⇒ P(p) ◦ f

3

Vice versa for Q.

4

Show that ϕ ⇒ P(sP) ∧ Q(sQ) and P(tP) ∧ Q(tQ) ⇒ ψ.

33

Transition Diagrams Owicki-Gries Method Invariants and Machine Instructions

How does it help?

The Owicki-Gries method generalises to n processes just by requiring more interference freedom obligations.

34

Transition Diagrams Owicki-Gries Method Invariants and Machine Instructions

How does it help?

The Owicki-Gries method generalises to n processes just by requiring more interference freedom obligations. Derived Assertion Network The automatic assertion network we get for the parallel composition from the Owicki-Gries method is the conjunction of the local assertions at each of the component states.

35

Transition Diagrams Owicki-Gries Method Invariants and Machine Instructions

How does it help?

The Owicki-Gries method generalises to n processes just by requiring more interference freedom obligations. Derived Assertion Network The automatic assertion network we get for the parallel composition from the Owicki-Gries method is the conjunction of the local assertions at each of the component states. Given k transitions and m locations per process, using Floyd’s method on the parallel composition of n processes requires us to do 2 + n · k · mn−1 proofs!

36

Transition Diagrams Owicki-Gries Method Invariants and Machine Instructions

How does it help?

The Owicki-Gries method generalises to n processes just by requiring more interference freedom obligations. Derived Assertion Network The automatic assertion network we get for the parallel composition from the Owicki-Gries method is the conjunction of the local assertions at each of the component states. Given k transitions and m locations per process, using Floyd’s method on the parallel composition of n processes requires us to do 2 + n · k · mn−1 proofs! The Owicki-Gries method reduces that to 2 + n · k · (1 + (n − 1) · m) — merely quadratic in n.

37

Transition Diagrams Owicki-Gries Method Invariants and Machine Instructions

Proving Mutual Exclusion

The Owicki-Gries method can be used to prove properties like Mutual Exclusion.

38

Transition Diagrams Owicki-Gries Method Invariants and Machine Instructions

Proving Mutual Exclusion

The Owicki-Gries method can be used to prove properties like Mutual Exclusion. How? Don’t have a postcondition. Instead make the assertions at the critical sections contradictory – so that they cannot be true simultaneously.

39

Transition Diagrams Owicki-Gries Method Invariants and Machine Instructions

Proving Mutual Exclusion

The Owicki-Gries method can be used to prove properties like Mutual Exclusion. How? Don’t have a postcondition. Instead make the assertions at the critical sections contradictory – so that they cannot be true simultaneously. Caution: Ensure that each transition does not violate the limited critical reference rule!

40

Transition Diagrams Owicki-Gries Method Invariants and Machine Instructions

Proving Mutual Exclusion

The Owicki-Gries method can be used to prove properties like Mutual Exclusion. How? Don’t have a postcondition. Instead make the assertions at the critical sections contradictory – so that they cannot be true simultaneously. Caution: Ensure that each transition does not violate the limited critical reference rule! Manna-Pnueli Algorithm integer wantp, wantq ← 0, 0 forever do forever do p1 non-critical section q1 non-critical section p2 if wantq = −1 q2 if wantp = −1 then wantp ← −1 then wantq ← 1 else wantp ← 1 else wantq ← −1 p3 await wantq = wantp q3 await wantq = −wantp p4 critical section q4 critical section p5 wantp ← 0 q5 wantq ← 0

Note: The p2 and q2 steps are one atomic step!

41

Transition Diagrams Owicki-Gries Method Invariants and Machine Instructions

Machine Instructions

What about if we had a single machine instruction to swap two values atomically, XC?

42

Transition Diagrams Owicki-Gries Method Invariants and Machine Instructions

Machine Instructions

What about if we had a single machine instruction to swap two values atomically, XC? bit common ← 1 bit tp ← 0 bit tq ← 0 forever do forever do p1 non-critical section q1 non-critical section repeat repeat p2 XC(tp, common) q2 XC(tq, common); p3 until tp = 1 q3 until tq = 1 p4 critical section q4 critical section p5 XC(tp, common) q5 XC(tq, common)

43

Transition Diagrams Owicki-Gries Method Invariants and Machine Instructions

One Big Invariant

Imagine assertion network(s) where every assertion is the same: An invariant.

44

Transition Diagrams Owicki-Gries Method Invariants and Machine Instructions

One Big Invariant

Imagine assertion network(s) where every assertion is the same: An invariant. Benefit: We don’t need to prove interference freedom — the local verification conditions already show that the invariant is preserved.

45

Transition Diagrams Owicki-Gries Method Invariants and Machine Instructions

One Big Invariant

Imagine assertion network(s) where every assertion is the same: An invariant. Benefit: We don’t need to prove interference freedom — the local verification conditions already show that the invariant is preserved. Example (Exchange-based Critical Section Solution) Using assertions about the program counters, we can craft an invariant for the XC example!

46

Transition Diagrams Owicki-Gries Method Invariants and Machine Instructions

One Big Invariant

Imagine assertion network(s) where every assertion is the same: An invariant. Benefit: We don’t need to prove interference freedom — the local verification conditions already show that the invariant is preserved. Example (Exchange-based Critical Section Solution) Using assertions about the program counters, we can craft an invariant for the XC example! I ≡ (common ⊕ tp ⊕ tq) = 1 ∧ (P@p4 ⇒ tp = 1) ∧ (Q@q4 ⇒ tq = 1) Where ⊕ is exclusive or (xor). Note that this is false at p4q4. So if this invariant is preserved we have mutex.

47

Transition Diagrams Owicki-Gries Method Invariants and Machine Instructions

One Big Invariant

Imagine assertion network(s) where every assertion is the same: An invariant. Benefit: We don’t need to prove interference freedom — the local verification conditions already show that the invariant is preserved. Example (Exchange-based Critical Section Solution) Using assertions about the program counters, we can craft an invariant for the XC example! I ≡ (common ⊕ tp ⊕ tq) = 1 ∧ (P@p4 ⇒ tp = 1) ∧ (Q@q4 ⇒ tq = 1) Where ⊕ is exclusive or (xor). Note that this is false at p4q4. So if this invariant is preserved we have mutex. Lets prove mutual exclusion for XC!

48

Transition Diagrams Owicki-Gries Method Invariants and Machine Instructions

What now?

You now have all you need to complete Assignment 0 (warm-up), due next Thursday. I have posted some Promela exercises about XC style solutions we will discuss next week (also due next Thursday). Next week: We will examine some more sophisticated critical section solutions for n processes. We may also learn about semaphores, time permitting!.

49